How can I launch a private Internet DNS server?

Timothe Litt litt at acm.org
Sat Nov 7 12:53:09 UTC 2020


On 06-Nov-20 08:50, Reindl Harald wrote:
>
>
> Am 06.11.20 um 13:25 schrieb Tom J. Marcoen:
>> First of all, sorry that I cannot reply within the thread, I was not
>> yet a member of the mailing list when those emails were sent.
>>
>>> On Thu 15/Oct/2020 18:57:16 +0200 Jason Long via bind-users wrote:
>>>>
>>>> Excuse me, I just have one server for DNS and that tutorial is
>>>> about secondary
>>>> DNS server too.
>>>
>>> Just skip the chapter about the secondary.  You're better off buying
>>> secondary
>>> DNS services externally.  A good secondary offloads your server
>>> noticeably, and
>>> keeps the domain alive in case of temporary failures.
>>>
>>> Best
>>> Ale
>>
>> Is it not a requirement to have at least two authoritative name
>> servers? I believe all TLDs require at least two name servers but I
>> must be mistaking as no one pointed this out yet.
>
> yes, and "You're better off buying secondary DNS services externally"
> don't say anything else
>
> the point is that the two nameservers are required to be located on
> two different ip-ranges anyways to minimize the risk that both going
> down at the same time
>
Do a web search for "secondary dns provider" and "backup dns provider". 
There are a number of them, some paid, some free.   Not all are equal -
last time I looked, support for DNSSEC was uncommon,, especially among
the free ones.  IPv6 support has been lagging, but improving.  Also, if
you use UPDATE, make sure the service that you use supports NOTIFY. 
Some limit or charge according to the number of queries, zones and/or
names - but that doesn't necessarily correlate with price. 

Also look for minimum TTL restrictions - especially with free services. 

I use a free service that does support IPv6, DNSSEC & NOTIFY - and runs
on BIND.

Often the external services provide better geographic diversity than a
small operation can - and have better internet connections. 

If you have the resources, you can also setup an agreement with a
similarly-situated organization for mutual secondary service - you slave
their zones & they slave yours.  This can work well - often at no cost -
especially if the resource demands are roughly equal.

Other caveats: external services typically won't use hostnames in your
domain - or if you want that, will charge you for it.  And if you depend
on views, external services will only work for external views - you'll
need to provide your own secondary servers for internal-only views. 

Finally, if performance matters and you have a dispersed user base, look
for a provider that has a solid infrastructure - ANYCAST is one good
clue.  You'll almost always have to subscribe to a paid service in these
cases, especially with high query rates.

RFC2182 (https://tools.ietf.org/html/rfc2182) is fairly readable and
describes many of the considerations involved in selecting secondary DNS
servers. 

DNS appears deceptively simple at first blush.  Setting up a serviceable
infrastructure requires an investment of thought and on-going
maintenance.  You will not be happy if you skimp on that investment,
since broken DNS is externally visible - and frequently catastrophic.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201107/129f167f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201107/129f167f/attachment.bin>


More information about the bind-users mailing list